nanog mailing list archives
Re: community real-time BGP hijack notification service
From: Matthew Moyle-Croft <mmc () internode com au>
Date: Sat, 13 Sep 2008 16:45:09 +0930
Nathan Ward wrote:
Absolutely - but it depends how wide you want the hijack - a global one is very obvious, but you can see that a very narrow one of some sites it might be harder (take longer) to detect and live longer. ie. If I just wanted to disrupt a website to a country or region for political reasons or just to get the ad revenue for a small amount of time, then it might be acceptable to limit the scale in order to evade detection. I'm not saying this is the end of the world, just reenforcing that widely distributed BGP monitors are necessary for detection. It might be that various projects which have these distributed tools etc can help by becoming feeds for these kinds of notification projects.On 13/09/2008, at 5:48 PM, Matthew Moyle-Croft wrote:Arnaud de Prelle wrote:In this case it's very important to have a lot of collectors broadly distributed listening in many ASes.I think that most of us (me included) are already using it but the problem is that they don't have BGP collectors everywhere in the world. This is in fact a generic issue for BGP monitoring.For example:If I know there are two BGP collectors driving this service, and they're in, say, AS701 and AS1239, then if I wanted to do a partial hijack (which might be good enough for my evil purposes) then I could advertise a path which had those ASes stuffed in it and prevent downstream collectors in AS701 and AS1239 from learning the hijack path.Note that the attack becomes less and less effective if you're path stuffing ASes, as it will be preferred by fewer and fewer networks. Put collection points in say 10 networks, and the attack becomes pretty useless. Unless of course you are announcing a more specific prefix than the authentic one.
MMC
-- Nathan Ward
Current thread:
- Re: community real-time BGP hijack notification service, (continued)
- Re: community real-time BGP hijack notification service Nathan Ward (Sep 12)
- Re: community real-time BGP hijack notification service Christian Koch (Sep 12)
- Re: community real-time BGP hijack notification service Nathan Ward (Sep 12)
- Re: community real-time BGP hijack notification service Christian Koch (Sep 12)
- Re: community real-time BGP hijack notification service Gadi Evron (Sep 12)
- Re: community real-time BGP hijack notification service Christian Koch (Sep 12)
- Re: community real-time BGP hijack notification service Gadi Evron (Sep 12)
- Re: community real-time BGP hijack notification service Andy Davidson (Sep 12)
- Re: community real-time BGP hijack notification service Arnaud de Prelle (Sep 12)
- Re: community real-time BGP hijack notification service Matthew Moyle-Croft (Sep 12)
- Re: community real-time BGP hijack notification service Nathan Ward (Sep 12)
- Re: community real-time BGP hijack notification service Matthew Moyle-Croft (Sep 13)
- Re: community real-time BGP hijack notification service Randy Bush (Sep 13)
- Re: community real-time BGP hijack notification service Nathan Ward (Sep 13)
- Re: community real-time BGP hijack notification service Nathan Ward (Sep 12)
- Re: community real-time BGP hijack notification service Hank Nussbacher (Sep 14)
- Message not available
- Message not available
- RE: community real-time BGP hijack notification service Hank Nussbacher (Sep 14)
- Re: community real-time BGP hijack notification service Pekka Savola (Sep 14)
- Re: community real-time BGP hijack notification service Gadi Evron (Sep 12)
- RE: community real-time BGP hijack notification service Skywing (Sep 12)
- Re: community real-time BGP hijack notification service Andrew Fried (Sep 12)
- Re: community real-time BGP hijack notification service Gadi Evron (Sep 12)